HIPAA: Any requirement to seperate data viewing applications from databases?

Posted on 2009-04-29
Last Modified: 2013-11-14

We've recently completed a successful (but small) prototype/pilot program involving the collection of "hazard-identification" data from health care workers.  Our "system" is comprised of 3 parts: a web-based data collection application, a data analysis application, and a database of stored data.  Although we don't specifically solicit sensitive info (directly covered by HIPAA) the health care workers frequently include this sort of information in their reports (to add context, for follow-up, etc.).

For the pilot program all of this was accomplished via a dedicated hosted server.  As we move forward, and expand, we're looking to implement a number of steps to insure that we remain HIPAA compliant "beyond the science project mode".  In working with the tech support engineers at the Tier II SAS 70 data center that we intend to use, we're being told that "your data base needs to be maintained on a separate server from any data analysis program."  

I understand the logic and rationale behind this -- and I appreciate the engineers input -- but I'd like to find a specific reference that stipulates the need for this particular set-up.  

If anyone could point me in the right direction, that would be great!  
Question by:blockmental
    LVL 38

    Expert Comment

    by:Jim P.
    Reading the Security Standards Technical Safeguards PDF at the HHS CMS Security Materials website -- there is no requirement to have separate servers to split the data from the app.

    From the technical/ sys admin /user point of view, you should make the app able to be on a separate server, because you are bound to run into some user who will be running it on several small servers, need to do clusters, or has a security standard that says the same thing.

    HHS CMS Security Materials

    Security Standards Technical Safeguards [PDF, 238KB]

    Author Comment

    Hello jimpen,

    I appreciate the input (and the links) and if you wouldn't mind, please...

    As part of our "process" we serve as the 3rd-party "analysis provider" and we're the only ones with access to the data analysis app (ie, the "customers" can't run their own reports or view any of the raw data).  The only access the "customers" have to our software is via the web-based data collection app.

    I'm not certain that this makes any difference WRT your comments about how a technical/sys admin/user might view all of this... but I'm HUGELY interested in pursuing something akin to a "best practice".  The data center engineers are telling us that in order to set-up two servers, plus a firewall, we need to get into a rack (vs. just a standalone dedicated server with a firewall).

    What they're saying makes sense, but not being a techie type I'm curious as to whether (or not) the requirement to place both servers in the same rack is necessary.  Normally I'd say, "just do it" but the "rack option" seems to have a considerable impact on the cost per month.  As soon as the rack option was introduced we suddenly started talking about more costly servers, a more expensive firewall, and the need (which I can understand) for some rather hefty monthly management fees.

    Any thoughts on the rack (vs. no rack) set-up would be most welcome -- ESPECIALLY if the "rack option" doesn't add to our overall level of security/safe-keeping.

    Many thanks again!
    LVL 38

    Accepted Solution

    Any web app -- whether gathering data or giving it back (especially financial & health data) needs to be in a DMZ. Even if you are using a VPN solution, you should restrict exposure of your internal network as much as possible to an outside vendor/ consumer.

    Typically your web server resides in a space that can be accessed from the internet and has very restricted links through the firewall into the internal network to read/write data. Your web app is considered and N-Tier app -- meaning 50 or 500 users can be accessing it and it controls R/W of data to the database.

    Then your analysis app can be done either as N-Tier or client-server. The N-Tier there can be a client install that goes to the app server and the app server connects to the database.  The reasons for going the app server route can vary:

    Security: no client ever talks to the DB directly

    Work load: the queries are complex/long running and the typical client can't do it.

    Load balancing: You want to be able to have multiple app servers so you can
                               scale or load balance connections to the same DB.

    Network: the clients and app server reside in remote location from the DB -- if
                    your clients go back to the server direct you saturate the bandwidth.

    Web enabled: you want to use a web page to do analysis instead of touching
                            clients every time you upgrade.

    I can't tell you the best answer. It depends on your business model, your project plans, design considerations etc.

    You will definitely need 2 servers -- the one that faces the web and the DB server. Beyond that it comes back to your design and model.
    N-Tier Application Architecture

    This link is for websphere -- but  it is pretty much the same regardless:

    Author Closing Comment

    Thanks jimpen!

    I'm always amazed at the lengths to which people such as yourself will go to on this forum to explain things... and especially when it comes to non-techies wrestling with unfamiliar issues.

    Again, many thanks for confirming/validating what the data center engineers were suggesting.

    All the best!
    LVL 38

    Expert Comment

    by:Jim P.
    Glad to be of assistance. May all your days get brighter and brighter.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    This article describes some very basic things about SQL Server filegroups.
    Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
    This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
    This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now